Secrets Management with Zoho Vault
Managing passwords in an organisation
Managing secrets and passwords for an organisation is more complex than personal password management. Tools such as KeePass offer good protection for individual use but are not suitable when passwords need to be owned, managed, shared and audited within an organisation.
​
Zoho Vault allows organisations to effectively manage their passwords with the following tools:
​
-
Role based access to passwords
-
Full report and auditing
-
Password sharing and revocation
-
Secure 3rd party sharing, with separate encryption key and time-limited access
-
Break-glass accounts
-
Secure backup and history
-
Controls over password complexity
-
Controlled access to passwords via Microsoft 365 Single Sign-On and conditional access
​
Requirements and Recommendation
As the MSP for your ICT systems, we have to manage a lot of passwords for you. We need to ensure:
​
-
The relevant parties have access to the passwords they need. For example, your Tech Lead may need the password to a router and your Marketing Department may need access to a Twitter account.
-
When a member of staff leaves, we can audit which passwords they have accessed and reset as necessary.
-
In the event of an emergency, business owners have easy access to passwords and can securely make passwords available to consultants or officials.
-
The correct tools are available to your staff so we can teach password management best practices.
​
We recommend Zoho Vault based on price and functionality. For a list of Zoho's compliance and certifications, see here.
One-touch access to passwords
Your Master Password needs to be complex. If you access your Vault frequently, typing a complex password can be tiresome and poses a security risk. If you require access to multiple Vaults for cross-tenancy administration, the problem is compounded.
​
It is possible to use Microsoft Edge profiles to assist with the storage and entry of your Master Password, and provide one-touch access to your password vault. This also makes Zoho Vault appear more like a traditional desktop application.
​
-
In Edge, click your profile icon and Add Profile.
-
A new Edge browser will appear. Click on the new profile icon > Manage Profile Settings and change the profile name, picture and theme colour so you can easily distinguish it from your usual profile. For example, you could call the profile Vault, pick the Ninja icon and make the theme Red.
-
Click Passwords, and set the following settings:
-
Sign In: With Device Password​
-
Sign In: Always
-
-
Under Profiles > Profile Preferences, change "Default profile for external links" to your primary profile. This prevents links you click from opening in the Vault profile.
-
Under Start, Home and New Tabs, set the startup page to https://vault.zoho.eu.
-
​​Pin the shortcut to the task menu so you have easy access to the Vault. Edge allows you to pin multiple profiles so you can easily switch between them.
-
Login to vault.zoho.eu and save your Master Password using Microsoft Edge.
​
Whenever you need access to your Vault, you can now open this new Edge profile from your Task bar. Edge will prompt you to authenticate using Windows Hello for Business before auto-filling your Master Password. You can authenticate with fingerprint, face ID or device PIN. So it is possible to have one-touch fingerprint access to your Vault. Note, similar to UAC elevation, Windows 10 does not yet offer FIDO2 authentication at this prompt.
​
Your Vault password is stored on your local device (which is bitlocked) and is encrypted by Edge. Microsoft Edge's password management system is described in more detail here.
​
If your laptop does not have an integrated fingerprint reader, the following devices are suitable:
​
​
Configuring backups
It is important that you enable backups of your Zoho Vault. The Tech Lead in your organisation should follow these steps to receive nightly backups of the Vault to their Microsoft OneDrive account:
​
-
Login to Zoho Vault. This is a two part process - first you need to authenticate with Zoho - you should use Single Sign On for this and authenticate with your Azure credentials. The second part is to enter your Vault Master Password.
-
Click Settings, and then under the User Configurations column select Cloud Backup.
-
Toggle the switch under OneDrive to enable it, then click Generate Token.
-
Follow the Microsoft prompts to authorise Zoho to use your OneDrive.
-
Click Save.
​
Backups run daily. Check your OneDrive the following day and you should see a folder called Zoho_Vault_Backup containing a .zip file which is your Zoho Vault backup. Ensure you can open the backup and access your passwords.
​
Note, the passwords are displayed in a flat structure and are not grouped by folder.